Malware Analysis Report

2024-08-06 14:11

Sample ID 240616-ef8r9aydkd
Target e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606
SHA256 e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606
Tags
upx modiloader persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606

Threat Level: Known bad

The file e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606 was found to be: Known bad.

Malicious Activity Summary

upx modiloader persistence trojan

ModiLoader, DBatLoader

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

ModiLoader Second Stage

Detects Windows executables referencing non-Windows User-Agents

Loads dropped DLL

UPX packed file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 03:54

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 03:54

Reported

2024-06-16 03:56

Platform

win7-20240221-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2248 set thread context of 3012 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 356 set thread context of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 set thread context of 656 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 2248 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 2248 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 2248 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 2248 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 2248 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 2248 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 2248 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 3012 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3012 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3012 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3012 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3012 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 656 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 656 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 656 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 656 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 656 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 656 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 656 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 356 wrote to memory of 656 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe

"C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe"

C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe

"C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DVNJE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 billabong4102.no-ip.biz udp

Files

memory/2248-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2248-3-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2248-5-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2248-15-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2248-77-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2248-69-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2248-88-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2248-81-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2248-80-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2248-79-0x0000000000404000-0x0000000000405000-memory.dmp

memory/2248-59-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2248-39-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2248-27-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2248-91-0x00000000027E0000-0x0000000002833000-memory.dmp

memory/3012-96-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3012-94-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3012-92-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3012-98-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3012-100-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3012-102-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3012-103-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2248-107-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3012-106-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3012-110-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3012-105-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DVNJE.bat

MD5 4eb61ec7816c34ec8c125acadc57ec1b
SHA1 b0015cc865c0bb1a027be663027d3829401a31cc
SHA256 08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512 f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

memory/3012-135-0x0000000002920000-0x0000000002973000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

MD5 8865691de473843b215833286f4bb605
SHA1 55abdc6e053713d99a988946fa37373ca2ce3363
SHA256 74eae461bf0f65e8d9b22b986ee8827b34c8263f9a3299c8067ca5da619cc140
SHA512 1b609b9905f4ae84491aca987856ca265c78cdda4c09144b22e7f0245645ed9c7667271cf0d8e052da2265f86ed6f31be58499c617fd40ae82ebe05eef0157dc

memory/356-151-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3012-150-0x0000000002920000-0x0000000002973000-memory.dmp

memory/3012-149-0x0000000002920000-0x0000000002973000-memory.dmp

memory/356-156-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/356-231-0x0000000000400000-0x0000000000453000-memory.dmp

memory/356-177-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/356-166-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/656-248-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3012-247-0x0000000000400000-0x000000000040B000-memory.dmp

memory/356-251-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3012-256-0x0000000000400000-0x000000000040B000-memory.dmp

memory/872-261-0x0000000000400000-0x000000000040B000-memory.dmp

memory/656-262-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 03:54

Reported

2024-06-16 03:56

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1964 set thread context of 3192 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 1932 set thread context of 4568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 set thread context of 4896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 1964 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 1964 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 1964 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 1964 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 1964 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 1964 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 1964 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe
PID 3192 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1320 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1320 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3192 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3192 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 3192 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
PID 1932 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe

"C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe"

C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe

"C:\Users\Admin\AppData\Local\Temp\e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NBMVM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp
US 8.8.8.8:53 billabong4102.no-ip.biz udp

Files

memory/1964-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1964-3-0x00000000021B0000-0x00000000021B2000-memory.dmp

memory/1964-4-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1964-7-0x00000000021F0000-0x00000000021F2000-memory.dmp

memory/1964-6-0x00000000021E0000-0x00000000021E2000-memory.dmp

memory/3192-5-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3192-9-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3192-11-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1964-13-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NBMVM.txt

MD5 4eb61ec7816c34ec8c125acadc57ec1b
SHA1 b0015cc865c0bb1a027be663027d3829401a31cc
SHA256 08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512 f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

MD5 b5998ed5ce520568158923b2dfd222c6
SHA1 8eef994abe50fbe7c5e30d62194c8af42db99a84
SHA256 e8045854aaa5789e7af6cc8655b574ec738678b9f2a98d98c242d91ed1e22606
SHA512 c7f958707a75e1497cde04369ebaf5ba1af1c2bad6b7ece26d0dfa3aad96bfacb645e7360e4262fe0b646e30cd70a723e4c0468a17652ab869f3aa63b0a2d16c

memory/4896-42-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4896-50-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4896-49-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4896-53-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4896-48-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1932-47-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3192-56-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4568-57-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4896-58-0x0000000000400000-0x0000000000414000-memory.dmp